Head of iOS security to speak at Black Hat for the first time

Researcher Charlie Miller isn't sure the talk will offer much new info, though.

Apple Platform Security Manager Dallas De Atley is scheduled to present a talk at the annual Black Hat security conference on July 26. The talk, which will focus on "key security technologies in iOS," is the first official appearance by Apple since the conference's inception 15 years ago, and may be yet another sign that Apple is taking security more seriously than it has in the past.

Smartphone users are increasingly relying on their devices as a mobile repository of personal information, so securing that information is becoming a mainstream concern. For instance, iOS 6 will offer new features such as Passbook, which links a variety of user accounts from places like airlines and movie theaters in order to offer instant access to coupons, boarding passes, and other customer information. This information could potentially be used by hackers in addition to existing information like contacts, calendar items, e-mails, and other potentially sensitive data that is already stored on our phones.

While Apple has implied for years that its platforms were impervious to hackers and malware, recent events have revealed chinks in the armor.

For instance, security researcher Charlie Miller last year revealed a major flaw in iOS's security system meant to keep applications from executing code from writeable areas of memory. Goading an application to execute new instructions by overwriting otherwise protected memory areas is a common way hackers break in to systems. Miller further embarrassed Apple by getting an app that demonstrated the flaw past its App Store review process, earning the researcher a one-year ban from the iOS developer program.

Additionally, the first verified iOS malware app, a trojan dubbed "Find and Call," was discovered by researchers earlier this month. The app tricked users into uploading their entire contact list to a server, which then spammed all uploaded contacts with SMS messages that appeared to come directly from the user.

The appearance at Black Hat is seen by some as a tacit admission that Apple needs to engage the security and hacker communities more directly. "Bottom line—no one at Apple speaks without marketing approval," Black Hat General Manager Trey Ford told Bloomberg. "Apple will be at Black Hat 2012, and marketing is on board."

But the planned discussion may not be very useful, according to Miller. "Maybe I'm wrong, but I think the community already understands everything about iOS security," he told Ars. "I'd rather hear about stuff we don't know about, like the app review process, internal security testing Apple performs, and how they deal with researchers."

Apple did not respond to our requests for more information about the planned talk.

Black Hat USA 2012 is currently in progress in Las Vegas. The scheduled briefings, including De Atly's iOS presentation, take place Wednesday and Thursday.

I don't think Apple has *EVER* stated (or even implied) that their platform was "impervious" or "immune" to attack or virus. They have stated that they are "more secure" than Windows.

Apple has never made that claim. It has just let the public opinion rule that away. The original presentation of the OSX showed that its architecture made it a lot more secure against viruses, but of course that gets telephoned and dumbed down to "Macs are immune to viruses".

A couple of years pass by without much incident and soon the only message that gets left amongst the masses is that "Macs are immune to viruses".

I can't even begin to tell you how many Mac users do not have antiviruses, and the unbelievable risks they take based on the on the whole virus-free adage. I've found tracking cookies galore, with crap tons of inactive malware. When Flashback hit, it was like a herd of sheep waking up for the first time with people running to the front desk saying "What do I do", "My computer isn't working as usual, do you think it's flashback?", etc. etc.

But the planned discussion may not be very useful, according to Miller. "Maybe I'm wrong, but I think the community already understands everything about iOS security," he told Ars. "I'd rather hear about stuff we don't know about, like the app review process, internal security testing Apple performs, and how they deal with researchers."

I disagree with Miller.

There is a lot of stuff we *think* we know about iOS security, but in reality the official documentation has holes and a lot of the things I "know" come from unofficial sources who are almost certainly wrong about a few things.

Hearing something official, without worrying about third party assumptions and bias, is a big deal.

Apple is just recognizing it as another marketing avenue/forum. Be prepared for a healthy dose of Kool-Aid and spin.

Ars anti-apple trolls are amongst the most jaded on the web. They have no idea as to what they are going to say but that doesn't prevent then from judging. If they don't go they are ingoring security. If they do go, it's magical marketing spin.

How about waiting to see the content of what happens before you speak?

I can't seem to find a follow-up story to this one. Interest (from authors and readers both) might have surely waned with the Mountain Lion release that came right after this, but I'd be interested to hear what came of De Atley's talk. Sure, I could find that info elsewhere, but it'd be nice for Ars to follow up since it deemed his appearance worthy of an article beforehand. Pretty please?